def rule(event):
    if all(
        [
            any(
                [
                    any(
                        [
                            event.deep_get("Image", default="").endswith("\\git.exe"),
                            event.deep_get("Image", default="").endswith("\\git-remote-https.exe"),
                        ]
                    ),
                    event.deep_get("OriginalFileName", default="") == "git.exe",
                ]
            ),
            any(
                [
                    " clone " in event.deep_get("CommandLine", default=""),
                    "git-remote-https " in event.deep_get("CommandLine", default=""),
                ]
            ),
            any(
                [
                    "exploit" in event.deep_get("CommandLine", default=""),
                    "Vulns" in event.deep_get("CommandLine", default=""),
                    "vulnerability" in event.deep_get("CommandLine", default=""),
                    "RemoteCodeExecution" in event.deep_get("CommandLine", default=""),
                    "Invoke-" in event.deep_get("CommandLine", default=""),
                    "CVE-" in event.deep_get("CommandLine", default=""),
                    "poc-" in event.deep_get("CommandLine", default=""),
                    "ProofOfConcept" in event.deep_get("CommandLine", default=""),
                    "proxyshell" in event.deep_get("CommandLine", default=""),
                    "log4shell" in event.deep_get("CommandLine", default=""),
                    "eternalblue" in event.deep_get("CommandLine", default=""),
                    "eternal-blue" in event.deep_get("CommandLine", default=""),
                    "MS17-" in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
